Azure Automation Update Management

This reference architecture illustrates how to design a hybrid update management solution to manage updates on both Microsoft Azure and on-premises Windows and Linux computers.

Azure Update management is configuration component of Azure Automation. Windows and Linux computers, both in Azure and on-premises, send assessment information about missing updates to the Log Analytics workspace. Azure Automation then uses that information to create a schedule for automatic deployment of the missing updates.

Download a Visio file of this architecture.

Typical uses for this architecture include:

  • Managing updates across on-premises and in Azure using the Update Management component of Automation Account.
  • Using scheduled deployments to orchestrate the installation of updates within a defined maintenance window.

Architecture

The architecture consists of the following components:

  • Log Analytics workspace - A Log Analytics workspace is a data repository for log data that's collected from resources that run in Azure, on-premises, or in another cloud provider.
  • Automation Hybrid Worker solution - Create Hybrid Runbook Workers to run Azure Automation runbooks on your Azure and non-Azure computers.
  • Automation account - This is a cloud service that automates configuration and management across your Azure and non-Azure environments.
  • Hybrid Runbook Worker - This is a computer that's configured with the Hybrid Runbook Worker feature and can run runbooks directly on the computer and against the resources in the local environment.
  • Hybrid Runbook Worker group - It's a group of Hybrid Runbook Workers used for high availability.
  • Runbook - This is a collection of one or more linked activities that together automate a process or operation.
  • On-premises computers and VMs - These are on-premises computers and VMs with Windows or Linux operating systems that reside on-premises.
  • Azure VMs - Azure VMs include Windows or Linux VMs that are hosted in Azure.

Recommendations

The following recommendations apply for most scenarios. Follow them unless you have a specific requirement that overrides them.

Update Management

Update Management is a configuration component of Automation. Windows and Linux computers, both in Azure and on-premises, send assessment information about missing updates to the Log Analytics workspace. Azure Automation then uses that information to create a schedule for automatic deployment of the missing updates.

The following steps highlight the actual implementation:

  1. Create a Log Analytics workspace.
  2. Create an Automation account.
  3. Link the Automation account with the Log Analytics workspace.
  4. Enable Update Management for Azure VMs.
  5. Enable Update Management for non-Azure VMs.

Create a Log Analytics workspace

Before you create a Log Analytics workspace, ensure that you have at least Log Analytics Contributor role permissions.

You can have more than one Log Analytics workspace for data isolation or for geographic location of data storage, but the Log Analytics agent can be configured to report to one Log Analytics workspace. For more information, review the Designing your Azure Monitor Logs deployment before you create the workspace.

Use the following procedure to create a Log Analytics workspace:

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. In the Azure portal, select Create a resource.
  3. In the Search the Marketplace box, enter Log Analytics. As you begin entering this text, the list filters based on your input. Select Log Analytics workspaces.
  4. Select Create, and then configure the following items:
    1. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    2. For the Resource Group, choose to use an existing resource group that's already set up or create a new one.
    3. Provide a unique name for the new Log Analytics workspace, such as HybridWorkspace-yourname
    4. Select the Location for your deployment.
    5. Select pricing tier to proceed to further customizations.
    6. If you're creating a workspace in a subscription that was created after April 2, 2018, it'll automatically use the Per GB pricing plan, and the option to select a pricing tier won't be available. If you're creating a workspace for an existing subscription that was created before that date or for a subscription that was tied to an existing Enterprise Agreement enrollment, select your preferred pricing tier. For more information about the particular tiers, refer to Log Analytics Pricing details.
    7. Select Tags and optionally provide a name and value for categorization of the resources.
    8. Select Review + Create.
  5. After providing the required information in the Log Analytics workspace pane, select Create.

Create an Automation account

After the Automation Hybrid Worker solution has been added to the Log Analytics workspace, proceed with creation of the Automation account. Refer to Supported regions for linked Log Analytics workspace to select the regions for Automation account and Log Analytics workspace. It's important that you create the Automation account based on the region mapping document and preferably in the same resource group as the Log Analytics workspace.

Use the following procedure to create an Automation account:

  1. In the Azure portal, select Create a resource.
  2. In the Search the Marketplace box, enter Automation. As you begin entering this text, the list filters based on your input. Select Automation, and then select Create.
  3. Select Create, and then configure the following items:
    1. Provide the Name for the Automation account, such as hybrid-auto.
    2. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    3. For the Resource Group, choose the same resource group in which you want to create the automation account.
    4. Select the Location based on the region mapping document.
    5. Create Azure Run As account is optional because this only provides authentication with Azure to manage Azure resources from Automation runbooks.
  4. After providing the required information in the Add Automation Account pane, select Create.

Automation accounts use the Hybrid Runbook Worker components that deploy in the Log Analytics workspace. You must integrate those services before you deploy a Log Analytics agent on an on-premises computer. Currently, mappings between Log Analytics workspaces and Automation accounts are supported in several regions. For further information, refer to Supported regions for linked Log Analytics workspace.

Use the following procedure to link an Automation account with a Log Analytics workspace:

  1. In the Azure portal, select All services, and then enter automation. As you begin entering this text, the list filters based on your input. Select Automation Account, and then select the Automation account that you created earlier.
  2. In the Automation Account pane, select Update Management in the Update Management section.
  3. In the Update Management pane, configure the following items:
    1. Select a different Subscription in the drop-down list if the default selection isn't appropriate.
    2. For Log Analytics workspace, select your existing Log Analytics workspace; for example, HybridWorkspace-yourname.
  4. After providing the required information in the Update Management pane, select Enable.

Enable Update Management for Azure VMs

Enable Update Management for Azure VMs by using the following tools:

Use the following procedure to enable Update Management for Azure VMs:

  1. In the Azure portal, select All services, and then enter automation. As you begin entering this text, the list filters based on your input. Select Automation Account, and then select the Automation account that you created earlier.
  2. In the Automation Account pane, select Update Management in the Update Management section.
  3. In the Update Management pane, select Add Azure VMs, select one or more VMs that are ready for Update Management, and then select Enable.

Deploy the Log Analytics agent and connect to a Log Analytics workspace

Deploying a Hybrid Runbook Worker component is part of the deployment of a Log Analytics agent.

If you test the solution by using an Azure VM, you can install the Log Analytics agent and enroll the VM in an existing Log Analytics workspace by using a VM extension for both Linux and Windows. You can also deploy the agent by using Azure Automation Desired State Configuration, a Windows PowerShell script, or by using a Resource Manager template for VMs. For more information, refer to Connect Windows computers to Azure Monitor.

For non-Azure VMs, deploy the agent by using a manual or automated process both on physical Windows and Linux computers or VMs that are in your environment.

For Windows computers, configure the agent to communicate with the Log Analytics service by using the Transport Layer Security (TLS) 1.2 protocol. Refer to Connect Windows computers to Azure Monitor for a detailed explanation of the deployment procedure.

The Log Analytics agent for Linux can be deployed:

  • Manually by using a shell script bundle that contains Debian and Red Hat Package Manager (RPM) packages for each of the agent components. This is recommended when a Linux computer doesn't have internet connectivity and will communicate with the Log Analytics service through the Log Analytics gateway.
  • By using a wrapper-script that's hosted on GitHub when the computer has connectivity to the internet.

The Log Analytics agent must be configured to communicate with a Log Analytics workspace by using the workspace ID and key of the Log Analytics workspace.

Use the following procedure to deploy a Log Analytics agent and connect to a Log Analytics workspace:

  1. In the Azure portal, search for and select Log Analytics workspaces.
  2. In your list of Log Analytics workspaces, select the workspace that the agent uses for reporting.
  3. Select Agents management.
  4. Copy and paste the Workspace ID and Primary Key into your favorite editor.
  5. In your Log Analytics workspace, from the Windows Servers page that you browsed to earlier, select the appropriate Download Windows Agent version to download based on the processor architecture of the Windows operating system.
  6. Run Setup to install the agent on your computer.
  7. On the Welcome page, select Next.
  8. On the License Terms page, read the license, and then select I Agree.
  9. On the Destination Folder page, change or keep the default installation folder, and then select Next.
  10. On the Agent Setup Options page, choose to connect the agent to Azure Log Analytics, and then select Next.
  11. On the Azure Log Analytics page, perform the following steps:
    1. Paste the Workspace ID and Workspace Key (Primary Key) that you copied earlier. If the computer reports to a Log Analytics workspace in a Microsoft Azure Government cloud, select Azure US Government in the Azure Cloud drop-down list.
    2. If the computer needs to communicate through a proxy server to the Log Analytics service, select Advanced, and then provide the URL and port number of the proxy server. If your proxy server requires authentication, enter the username and password to authenticate with the proxy server, and then select Next.
  12. Select Next after you finish providing the necessary configuration settings.

Enable Update Management for non-Azure computers

Enabling Update Management on non-Azure computers has the following prerequisites:

  • Deploy the Log Analytics agent and connect to a Log Analytics workspace.

Previous procedures explain how to configure those prerequisites.

After installing the Log Analytics agent on an on-premises computer, enable Update Management in the Azure portal by using the following procedure:

  1. In the Azure portal, select All services, and then enter automation. As you begin entering this text, the list filters based on your input. Select Automation Account, and then select the Automation account that you created earlier.
  2. In the Automation Account pane, select Update Management in the Update Management section.
  3. In the Update Management pane, select Manage machines, and then select computers that are listed and have been configured to send log data to the Log Analytics workspace.
  4. Select Enable to finish the configuration of Update Management on non-Azure machines.

Each Windows computer managed by Update Management is listed in the Hybrid Worker groups pane as a System Hybrid Worker group for the Automation account. Use these groups only for deploying updates, not for targeting the groups with runbooks for automated tasks.

Manageability considerations

Manage updates for Azure VMs and non-Azure machines

Update assessment for all missing updates that both Azure VMs and non-Azure computers require is visible in the Update Management section of your Automation account.

Schedule an update deployment by using the Azure portal or by using PowerShell, which creates schedule assets that are linked to the Patch-MicrosoftOMSComputers runbook.

Use the following procedure to schedule a new update deployment:

  1. In your Automation account, go to Update management under Update management, and then select Schedule update deployment.

  2. Under New update deployment, use the Name box to enter a unique name for your deployment.

  3. Select the operating system to target for the update deployment.

  4. In the Groups to update pane, define a query that combines subscription, resource groups, locations, and tags to build a dynamic group of Azure VMs to include in your deployment. To learn more, refer to Use dynamic groups with Update Management.

  5. In the Machines to update pane, select a saved search, an imported group, or pick Machines from the drop-down menu, and then select individual machines.

  6. Use the Update classifications drop-down menu to specify update classifications for products.

  7. Use the Include/exclude updates pane to select specific updates for deployment.

  8. Select Schedule settings to define a time when the update deployment will run on computers.

  9. Use the Recurrence box to specify if the deployment occurs once or uses a recurring schedule, and then select OK.

  10. In the Pre-scripts + Post-scripts (Preview) region, select the scripts to run before and after your deployment. To learn more, refer to Manage pre-scripts and post-scripts.

  11. Use the Maintenance window (minutes) box to specify the amount of time that's allowed for updates to install.

  12. Use the Reboot options box to specify the way to handle reboots during deployment.

  13. When you finish configuring the deployment schedule, select Create.

Results of a completed update deployment are visible in the Update Management pane on the History tab.

Configure Windows Update settings

Azure Update Management depends on Windows Update Client to download and install updates either from Windows Update (default setting) or from Windows Server Update Server. Configure Windows Update Client settings to connect to Windows Server Update Services (WSUS) by using:

  • Local Group Policy Editor
  • Group Policy
  • PowerShell
  • Directly editing the registry

For more information, refer to how to configure Windows Update settings.

Integrate Update Management with Microsoft Endpoint Configuration Manager

The Software Update Management cycle can integrate with Microsoft Endpoint Configuration Manager for customers that are already using this product to manage PCs, servers, and mobile devices.

To integrate Software Update Management with Endpoint Configuration Manager, first integrate Endpoint Configuration Manager with Azure Monitor logs and import the collections in the Log Analytics workspace.

For details, refer to Connect Configuration Manager to Azure Monitor.

To manage updates on local computers, configure them with:

  • The Endpoint Configuration Manager client.
  • The Log Analytics agent, which is configured to report to a Log Analytics workspace that's enabled for Update Management.
  • Windows agents that are configured to communicate with WSUS or have access to Microsoft Update.

To manage updates on computers with Endpoint Configuration Manager, deploy the following roles on the Endpoint Configuration Manager computer:

  • Management point. This site system role manages clients with a policy that contains configuration settings and service location information.
  • Distribution point. This contains source files for clients.
  • Software update point. This is a role on the server that's hosting WSUS.

Manage software updates by using:

  • Endpoint Configuration Manager
  • Azure Automation

Partner updates on Windows machines can be deployed from a custom repository that System Center Updates Publisher (SCUP) provides. SCUP can import custom updates either in standalone WSUS or integrated with Endpoint Configuration Manager.

For more information, refer to Integrate Update Management with Windows Endpoint Configuration Manager.

Deploy the Log Analytics agent by using a PowerShell script

To accelerate deployment of the Log Analytics agent with the Hybrid Worker role running on a Windows computer, use the New-OnPremiseHybridWorker.ps1 PowerShell script. The script:

  • Installs the necessary modules.
  • Signs in with your Azure account.
  • Verifies the existence of a specified resource group and Automation account.
  • Creates references to Automation account attributes.
  • Creates an Azure Monitor Log Analytics workspace if not specified.
  • Enables the Automation solution in the workspace.
  • Downloads and installs the Log Analytics agent for the Windows operating system.
  • Registers the machine as a Hybrid Runbook Worker.

Deploying many agents in an on-premises infrastructure can be orchestrated by using command-line scripts and by using Group Policy or Endpoint Configuration Manager.

Use dynamic groups for Azure and non-Azure machines

Dynamic groups for Azure VMs filter VMs based on a combination of:

  • Subscriptions
  • Resource groups
  • Locations
  • Tags

Dynamic groups for non-Azure computers use saved searches to filter the computers for deployment of the update. Saved searches, also known as computer groups, can be created by using:

  • A log query. Use Azure Data Explorer to define a logical expression to filter the computers.
  • Active Directory Domain Services. A group is created in Log Analytics workspace for any members of an Active Directory domain.
  • Endpoint Configuration Manager. Import computer collections from Endpoint Configuration Manager into a Log Analytics workspace.
  • WSUS. Groups that are created in WSUS servers can be imported into a Log Analytics workspace.

For more information on how to create computer groups for filtering machines for update deployment, refer to Computer groups in Azure Monitor log queries.

Scalability considerations

Azure Automation can process up to 1,000 computers per update deployment. If you expect to update more than 1,000 computers, you can split up the updates among multiple update schedules. Refer to Azure subscription and service limits, quotas, and constraints.

Availability considerations

  • Currently, mappings between Log Analytics Workspace and Automation Account are supported in several regions. For further information, refer to Supported regions for linked Log Analytics workspace.
  • Supported client types: Update assessment and patching is supported on Windows and Linux computers that run in Azure or in your on-premises environment. Currently, the Windows client isn't officially supported. For a list of the supported clients, refer to Supported client types.

Security considerations

  • Update Management permissions: The Update Management component of Automation and the Log Analytics workspace component of Monitor can use role-based access control (RBAC) with built-in roles from Azure Resource Manager. For segregation of the duties, these roles can be assigned to different users, groups, and security principals. For a list of the roles in Automation accounts, refer to Manage role permissions and security.
  • Encryption of sensitive assets in Automation: An Automation account can contain sensitive assets such as credentials, certificates, and encrypted variables that runbooks might use. Each secure asset is encrypted by default using a data encryption key that's generated for each Automation account. These keys are encrypted and stored in Automation with an account encryption key that can be stored in the Azure Key Vault for customers who want to manage encryption with their own keys. By default, an account encryption key is encrypted by using Microsoft-managed keys. Use the following guidelines to apply encryption of secure assets in Azure Automation.
  • Runbook permissions for a Hybrid Runbook Worker: By default, runbook permissions for a Hybrid Runbook Worker run in a system context on the machine where they're deployed. A runbook provides its own authentication to local resources. Authentication can be configured using managed identities for Azure resources or by specifying a Run As account to provide a user context for all runbooks.
  • Network planning: Hybrid Runbook Worker requires outbound internet access over TCP port 443 to communicate with Automation. For computers with restricted internet access, you can use the Log Analytics gateway to configure communication with Automation and an Azure Log Analytics workspace.
  • Azure Security baseline for Automation: Azure security baseline for Automation contains recommendations about how to increase overall security to protect your assets following best practice guidance.

DevOps considerations

  • You can schedule update deployment programmatically through the REST API. For more information, refer to Software Update Configurations - Create.
  • Azure Automation allows integration with popular source control systems like Azure DevOps and GitHub. With source control, you can integrate an existing development environment that contains your scripts and custom code that has been previously tested in an isolated environment.
  • For more information about how to integrate Automation with your source control environment, refer to Use source control integration.

Cost considerations

  • Use the Azure pricing calculator to estimate costs. For more information about Automation pricing models, refer to Automation pricing.
  • Azure Automation costs are priced for job execution per minute or for configuration management per node. Every month, the first 500 minutes of process automation and configuration management on five nodes are free.
  • An Azure Log Analytics workspace might generate more costs related to the amount of log data that's stored in Azure Log Analytics. The pricing is based on consumption, and the costs are associated with data ingestion and data retention. For ingesting data into Azure Log Analytics, use the capacity reservation or pay-as-you-go model that includes 5 gigabytes (GB) free a month for each billing account. Data retention for the first 31 days is free of charge.
  • Use the Azure pricing calculator to estimate costs. For more information about Log Analytics pricing models, refer to Azure Monitor pricing.